labels: PDO

7 years ago · 21295a52aa
parent c2418a559b
commit 21295a52aa
1 changed files with 98 additions and 90 deletions
--- a/classes/pref/labels.php
+++ b/classes/pref/labels.php
@ -8,12 +8,13 @@ class Pref_Labels extends Handler_Protected {
 	}

 	function edit() {
-		$label_id = $this->dbh->escape_string($_REQUEST['id']);
+		$label_id = $_REQUEST['id'];

-		$result = $this->dbh->query("SELECT * FROM ttrss_labels2 WHERE
-			id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
+		$sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
+			id = ? AND owner_uid = ?");
+		$sth->execute([$label_id, $_SESSION['uid']]);

-		$line = $this->dbh->fetch_assoc($result);
+		if ($line = $sth->fetch()) {

 			print_hidden("id", "$label_id");
 			print_hidden("op", "pref-labels");
@ -80,8 +81,7 @@ class Pref_Labels extends Handler_Protected {
 			print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').hide()\">".
 				__('Cancel')."</button>";
 			print "</div>";
-
-		return;
+		}
 	}

 	function getlabeltree() {
@ -90,12 +90,13 @@ class Pref_Labels extends Handler_Protected {
 		$root['name'] = __('Labels');
 		$root['items'] = array();

-		$result = $this->dbh->query("SELECT *
+		$sth = $this->pdo->prepare("SELECT *
 			FROM ttrss_labels2
-			WHERE owner_uid = ".$_SESSION["uid"]."
+			WHERE owner_uid = ?
 			ORDER BY caption");
+		$sth->execute([$_SESSION['uid']]);

-		while ($line = $this->dbh->fetch_assoc($result)) {
+		while ($line = $sth->fetch()) {
 			$label = array();
 			$label['id'] = 'LABEL:' . $line['id'];
 			$label['bare_id'] = $line['id'];
@ -118,84 +119,92 @@ class Pref_Labels extends Handler_Protected {
 	}

 	function colorset() {
-		$kind = $this->dbh->escape_string($_REQUEST["kind"]);
-		$ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"]));
-		$color = $this->dbh->escape_string($_REQUEST["color"]);
-		$fg = $this->dbh->escape_string($_REQUEST["fg"]);
-		$bg = $this->dbh->escape_string($_REQUEST["bg"]);
+		$kind = $_REQUEST["kind"];
+		$ids = explode(',', $_REQUEST["ids"]);
+		$color = $_REQUEST["color"];
+		$fg = $_REQUEST["fg"];
+		$bg = $_REQUEST["bg"];

 		foreach ($ids as $id) {

 			if ($kind == "fg" || $kind == "bg") {
-				$this->dbh->query("UPDATE ttrss_labels2 SET
-					${kind}_color = '$color' WHERE id = '$id'
-					AND owner_uid = " . $_SESSION["uid"]);
+				$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+					${kind}_color = ? WHERE id = ?
+					AND owner_uid = ?");
+
+				$sth->execute([$color, $id, $_SESSION['uid']]);
+
 			} else {
-				$this->dbh->query("UPDATE ttrss_labels2 SET
-					fg_color = '$fg', bg_color = '$bg' WHERE id = '$id'
-					AND owner_uid = " . $_SESSION["uid"]);
+
+				$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+					fg_color = ?, bg_color = ? WHERE id = ?
+					AND owner_uid = ?");
+
+				$sth->execute([$fg, $bg, $id, $_SESSION['uid']]);
 			}

-			$caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"]));
+			$caption = Labels::find_caption($id, $_SESSION["uid"]);

 			/* Remove cached data */

-			$this->dbh->query("UPDATE ttrss_user_entries SET label_cache = ''
-				WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]);
-
+			$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = ''
+				WHERE label_cache LIKE ? AND owner_uid = ?");
+			$sth->execute(["%$caption%", $_SESSION['uid']]);
 		}
-
-		return;
 	}

 	function colorreset() {
-		$ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"]));
+		$ids = explode(',', $_REQUEST["ids"]);

 		foreach ($ids as $id) {
-			$this->dbh->query("UPDATE ttrss_labels2 SET
-				fg_color = '', bg_color = '' WHERE id = '$id'
-				AND owner_uid = " . $_SESSION["uid"]);
+			$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+				fg_color = '', bg_color = '' WHERE id = ?
+				AND owner_uid = ?");
+			$sth->execute([$id, $_SESSION['uid']]);

-			$caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"]));
+			$caption = Labels::find_caption($id, $_SESSION["uid"]);

 			/* Remove cached data */

-			$this->dbh->query("UPDATE ttrss_user_entries SET label_cache = ''
-				WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]);
+			$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = ''
+				WHERE label_cache LIKE ? AND owner_uid = ?");
+			$sth->execute(["%$caption%", $_SESSION['uid']]);
 		}
-
 	}

 	function save() {

-		$id = $this->dbh->escape_string($_REQUEST["id"]);
-		$caption = $this->dbh->escape_string(trim($_REQUEST["caption"]));
+		$id = $_REQUEST["id"];
+		$caption = trim($_REQUEST["caption"]);

-		$this->dbh->query("BEGIN");
+		$this->pdo->beginTransaction();

-		$result = $this->dbh->query("SELECT caption FROM ttrss_labels2
-			WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
+		$sth = $this->pdo->prepare("SELECT caption FROM ttrss_labels2
+			WHERE id = ? AND owner_uid = ?");
+		$sth->execute([$id, $_SESSION['uid']]);

-		if ($this->dbh->num_rows($result) != 0) {
-			$old_caption = $this->dbh->fetch_result($result, 0, "caption");
+		if ($row = $sth->fetch()) {
+			$old_caption = $row["caption"];

-			$result = $this->dbh->query("SELECT id FROM ttrss_labels2
-				WHERE caption = '$caption' AND owner_uid = ". $_SESSION["uid"]);
+			$sth = $this->pdo->prepare("SELECT id FROM ttrss_labels2
+				WHERE caption = ? AND owner_uid = ?");
+			$sth->execute([$caption, $_SESSION['uid']]);

-			if ($this->dbh->num_rows($result) == 0) {
+			if (!$sth->fetch()) {
 				if ($caption) {
-					$result = $this->dbh->query("UPDATE ttrss_labels2 SET
-						caption = '$caption' WHERE id = '$id' AND
-						owner_uid = " . $_SESSION["uid"]);
+					$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+						caption = ? WHERE id = ? AND
+						owner_uid = ?");
+					$sth->execute([$caption, $id, $_SESSION['uid']]);

 					/* Update filters that reference label being renamed */

-					$old_caption = $this->dbh->escape_string($old_caption);
-
-					$this->dbh->query("UPDATE ttrss_filters2_actions SET
-						action_param = '$caption' WHERE action_param = '$old_caption'
+					$sth = $this->pdo->prepare("UPDATE ttrss_filters2_actions SET
+						action_param = ? WHERE action_param = ?
 						AND action_id = 7
-						AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ".$_SESSION["uid"].")");
+						AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ?)");
+
+					$sth->execute([$caption, $old_caption, $_SESSION['uid']]);

 					print $_REQUEST["value"];
 				} else {
@ -206,14 +215,13 @@ class Pref_Labels extends Handler_Protected {
 			}
 		}

-		$this->dbh->query("COMMIT");
+		$this->pdo->commit();

-		return;
 	}

 	function remove() {

-		$ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"]));
+		$ids = explode(",", $_REQUEST["ids"]);

 		foreach ($ids as $id) {
 			Labels::remove($id, $_SESSION["uid"]);
@ -222,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
 	}

 	function add() {
-		$caption = $this->dbh->escape_string($_REQUEST["caption"]);
-		$output = $this->dbh->escape_string($_REQUEST["output"]);
+		$caption = $_REQUEST["caption"];
+		$output = $_REQUEST["output"];

 		if ($caption) {